Coordinated Vulnerability Disclosure
Microsoft is committed to protecting customers' information, and the Microsoft Security Response Center (MSRC) is integral to this commitment. MSRC investigates all reported security vulnerabilities in Microsoft products. When we receive a vulnerability report, we develop an update as quickly as possible and broadly disseminate information about the vulnerability, the risk it poses, and what customers can do to protect themselves against it. However, to do this we need the help of the people who discover security vulnerabilities. Microsoft products run on thousands of different manufacturers' hardware, in millions of different configurations, and in conjunction with countless other applications.
We take the responsibility for fixing our products very seriously. We ask the security research community to give us an opportunity to correct the vulnerability before publicly disclosing it, as we ourselves do when we discover vulnerabilities in other vendors' products.
This serves everyone's best interests by ensuring that customers receive comprehensive, high-quality updates for security vulnerabilities but are not exposed to malicious attacks while the update is being developed. After customers are protected, public discussion of the vulnerability is entirely in order, and helps the industry at large improve its products.
Many security professionals follow these practices, and Microsoft may single them out for special thanks. The acknowledgment section of our security bulletins and advisories is intended to do this. When you see a security professional acknowledged in a Microsoft security bulletin, it means that they reported the vulnerability to us confidentially, worked with us to develop the update, and helped us disseminate information about it after remediating the threat.
This set of practices is called Coordinated Vulnerability Disclosure (CVD) and has been adopted by Microsoft and other software vendors across the industry.
Microsoft's Approach to Coordinated Vulnerability Disclosure
Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product, to a national CERT or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress. Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to protect themselves.
For more information on CVD, download the document, Coordinated Vulnerability Disclosure at Microsoft.
Occasionally Microsoft employees may discover vulnerabilities in non-Microsoft or third-party software in the course of their daily work or as a result of independent research. In both of these cases, Microsoft employees observe coordinated vulnerability disclosure to help ensure that the ecosystem remains protected. Microsoft has developed a comprehensive strategy for handling vulnerabilities discovered in third-party software. The Microsoft Vulnerability Research (MSVR) program is responsible for the discovery, reporting, and coordination of vulnerabilities in third-party products and services. In all cases, a Microsoft employee who discovers a vulnerability in third-party software informs the MSVR program, and works to disclose details of the vulnerability in a coordinated manner with the vendor. For more information on the MSVR program, see Microsoft Vulnerability Research.